Suppressing False Positives

Due to how dependency-check identifies libraries false positives may occur (i.e. a CPE was identified that is incorrect). Suppressing these false positives is fairly easy using the HTML report. In the report next to each CPE identified (and on CVE entries) there is a suppress button. Clicking the suppression button will create a dialogue box which you can simple hit Control-C to copy the XML that you would place into a suppression XML file. If this is the first time you are creating the suppression file you should click the “Complete XML Doc” button on the top of the dialogue box to add the necessary schema elements.

The above XML file will suppress the cpe:/a:apache:struts:2.0.0 from any file with the a matching SHA1 hash.

The following shows some other ways to suppress individual findings. Note the ways to select files using either the sha1 hash or the filePath (the filePath can also be a regex). Additionally, there are several things that can be suppressed - individual CPEs, individual CVEs, or all CVE entries below a specified CVSS score. The most common would be suppressing CPEs based off of SHA1 hashes or filePath (regexes) - these entries can be generated using the HTML version of the report. The other common scenario would be to ignore all CVEs below a certain CVSS threshold.